Difference between revisions of "APD/GBA - 56/2021"

From GDPRhub
Line 63: Line 63:
 
Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password.  
 
Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password.  
  
A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the database to obtain information which unfairly assisted him in proceedings concerning the liquidation of their joint estate following a divorce.
+
A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of their joint estate following a divorce.
  
 
Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending.  
 
Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending.  

Revision as of 16:55, 3 May 2021

APD/GBA - 56/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(2) GDPR
Article 24 GDPR
Article 25 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Decided: 26.04.2021
Published:
Fine: 100000 EUR
Parties: n/a
National Case Number/Name: 56/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian Data Protection Authority (in FR)
Initial Contributor: n/a

Fine for violation of Article 32 GDPR.

English Summary

Facts

The decision concerns access by employees within an unnamed financial institution to the Central Credit Register ('CCR') operated by the Belgian National Bank.

Employees at the financial institution could access the CCR via one of two systems. The first system, which was for regular staff, kept a record of each employee that used it. The second system, which was for managers, did not register employees. The financial institution states that only five employees had access to the CCR via the second system, and that they used a shared password.

A file in the CCR which concerned the complainant was accessed at least 20 times between 2016 and 2018 via the second system. Whilst it was not possible to identify exactly which employee was responsible on account of the lack of record keeping, one of the five relevant employees is the defendant's ex-husband. According to the defendant, her ex-husband used his access to the CCR to obtain information which unfairly assisted him in proceedings concerning the liquidation of their joint estate following a divorce.

Whilst the complaint which the present decision regards was filed against the financial institution, the defendant has also filed a separate complaint against her ex-husband, which is pending.

Dispute

Did the financial institution take appropriate measures to ensure a level of security appropriate to the risk, as outlined in Article 32 GDPR?

Holding

In progress

Comment

In progress

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.